commented sample configurations for most common and some special use cases

We collect some useful configuration examples here giving hints on proper use of available options.

General hints:

Content for different section grouped in one example must be used together.

Option names are written in CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. As you see, case doesn't really matter here.

Basic configuration/Kickstart

AccountManagerPlugin replaces the traditional Trac login feature with a webform, because LoginModule is enabled in all examples below. No additional action is required since acct_mgr-0.4, but older plugin versions required to disable the obsoleted Trac core component explicitly:

Create users

Create the first user through browser-based registration enabled by following additional lines in components section of trac.ini:

[components]acct_mgr.register.*=enabled

Don't add another components section, just the configuration line with 'enabled' into an existing components section. After user creation you may choose to disable registration by uncommenting the RegistrationModule setting above or changing it to:

[components];need this for first useracct_mgr.register.*=disabled

Or just use the plugins admin page form Trac's web interface, after you've given admin priviledges to the first user you created.

Award an existing user account for Trac admin

Goodies

There are some misc options for account-manager section of trac.ini you may want to set/unset depending on your requirements:

Option

Default Value

Recommendation

Available Since

reset_password

True

Disallow password reset if needed.

acct_mgr-0.?

generated_password_length

8

Useful only with reset enabled. Raise the bar for brute-force attacks on user passwords, if you feel this is needed. AccountGuard might still be a more powerful alternative, see Account Locking section below.

acct_mgr-0.?

force_passwd_change

True

Useful only with reset enabled. Randomly generated passwords should be motivation enough to change them, but YMMV.

acct_mgr-0.?

See the paragraphs below for a more detailed explanation of some of these settings.

Advanced configurations

Password Reset

You need an authentication store enabled and configured correctly as a per-requisite here. Additionally explicitly enable or unset the following option:

enables password reset for both, admin (for everyone) and regular users (only for their own account).
A detailed explanation of the 'lost password' procedure is available too.

Note: Hiding of non-functional parts from the web-UI has been corrected for acct_mgr-0.4.1, and the plugin complains on misconfiguration too, see trac.log

Persistent Sessions

[account-manager]persistent_sessions=true

will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the login page and, next time he visits the site, he/she will be remembered.

Single Sign On

In a setup with multiple Trac environments per domain/host chances are that users want to work with several projects simultaneously. 40 and more environments served by a single Trac install have been reported from private networks as well as seen on the web.

To address the demand for authentication information sharing between some/all of the Trac environments in such a setup a login synchronization process has been introduced for acct_mgr-0.4. It relies on a non-default value for the path of trac_auth and trac_auth_session cookies. Otherwise the cookie wouldn't be recognized as related to different Trac environments by the web browser client:

[trac]auth_cookie_path=/var/www/trac

Hint: Even if this setting has been introduced in Trac 0.12, it could be set in trac.ini for older Trac versions, and AcctMgr will use it, specifically providing a cookie path fix-up for trac_auth cookies generated by Trac 0.11 and above.

An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing trac_auth browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid and works well.

but this does nothing for backwards-compatibility, preventing surprises for unaware plugin-upgraders

As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explaining in the way how it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options.